Check spamdb whitelisted addresses agains RBLs.

spamtrap.sh

#!/usr/local/bin/bash
#
# (c) Sometime in 2015 by Fred C. @0x9900
#
# Checks whitelisted IPs in spamdb and if they are known by any of the
# follwing DNSBL lists, tag them as trapped. This script only check
# the IP addresses whitelisted since the last run. Therefore the date
# of the last run is stored in a file called /tmp/spamtrap.status.
#
# - abuseat.org
# - barracudacentral.org
# - spamcop.net
# - spamhaus.org
#
# Since spamdb has to be run by root you can add the follwing line in
# your `/etc/sudoer' file.
#
# userid ALL=(ALL) NOPASSWD: /usr/sbin/spamdb -t -a
#
# I run this script hourly in cron.
#

set -o nounset

declare -a RBL_LST=( "junkemailfilter" "spamhaus" "spamcop" "barracudacentral" "abuseat" )
# shuffling the list to not allways hit the same RBL at each run
declare -a RBL_LST=$(echo ${RBL_LST[@]} | awk 'BEGIN {RS=" "} {print rand()"\t"$1}' | sort | cut -f2)

STATUS_FILE="/tmp/spamtrap.status"
BLACKLIST_IP="sudo spamdb -t -a "
WHITELIST_IP="sudo spamdb -a "

TEMPLATE="${0##*/}.XXXXXXXXX"
TMPFILE=$(mktemp -t ${TEMPLATE}) || exit 1

# check if the status file Exists.
if [[ ! -s $STATUS_FILE ]]; then
    echo "${STATUS_FILE} not found creating it"
    echo $(date +%s) > ${STATUS_FILE}
    echo "Run that program again later."
    exit 0
fi

LAST_RUN=$(< ${STATUS_FILE})
echo "Last run was at: " $(date -r ${LAST_RUN})

cleanup() {
    rm -f ${TMPFILE}
    exit 0
}

trap "cleanup" EXIT INT TERM


junkemailfilter() {
    # hostkarma.junkemailfilter.com
    # This site can return several informations like whitelist,
    # blacklist, yellowlist for example. Here we are interested by
    # blacklist and whitelist.
    local revip=${1}
    local response=$(dig +short ${revip}.hostkarma.junkemailfilter.com)
    if echo $response | grep -q '127\.0\.0\.1'; then
	return 2		# whitelist
    fi
    if echo $response | grep -q '127\.0\.0\.2'; then
	return 1		# spammer
    fi
    return 0
}

spamhaus() {
    # zen.spamhaus.org
    local revip=${1}
    local response=$(dig +short ${revip}.zen.spamhaus.org)
    echo $response | grep -q '127\.0\.0'
    return $(( ! $? ))		# (0) not found (1) spammer
}

spamcop() {
    # bl.spamcop.net
    local revip=${1}
    local response=$(dig +short ${revip}.bl.spamcop.net)
    echo $response | grep -q '127\.0\.0\.2'
    return $(( ! $? ))		# (0) not found (1) spammer
}

barracudacentral() {
    # b.barracudacentral.org
    local revip=${1}
    local response=$(dig +short ${revip}.b.barracudacentral.org)
    echo $response | grep -q '127\.0\.0\.2'
    return $(( ! $? ))		# (0) not found (1) spammer
}

abuseat() {
    # cbl.abuseat.org
    local revip=${1}
    local response=$(dig +short ${revip}.cbl.abuseat.org)
    echo $response | grep -q '127\.0\.0\.2'
    return $(( ! $? ))		# (0) not found (1) spammer
}


# Search for new IP addresses inserted in spamdb since the last run
#
awk_program='
BEGIN {
  FS="|"
}
/^WHITE|GREY/ {
  if(($1 == "WHITE" && $5 > LR) ||
     ($1 == "GREY" && $6 > LR)) {
    print $2
  }
}'

spamdb | awk -v LR=${LAST_RUN} "$awk_program" | sort -n | uniq >${TMPFILE}

# Save the current run time
echo $(date +%s) > ${STATUS_FILE}

# Search if the ip addresses are flagged in one of the rbl servers
#
while read ip
do
    found=0
    revip=$(IFS=.; set -- $ip ; echo "${4}.${3}.${2}.${1}")
    for rbl_function in ${RBL_LST[@]}; do
	$rbl_function $revip
	result=$?
	if [[ $result == 1 ]]; then
	    echo "Blacklisted: $rbl_function $ip"
	    ${BLACKLIST_IP} $ip
	    found=1
	    break
	elif [[ $result == 2 ]]; then
	    echo "Whitelisted: $rbl_function $ip"
	    ${WHITELIST_IP} $ip
	    found=1
	    break
	fi
    done
    [[ $found == 0 ]] && echo "Not found $ip"
done < ${TMPFILE}